App Legitimacy

One of the major vectors for malware is by repackaging existing apps. Repackaged apps damage
revenue streams and cause reputational damage. Approov stops repackaged apps accessing your online services by verifying that
the app code has not been tampered with.

The Fake App Problem

Studies show that one of the major threats to the security and integrity of the mobile ecosystem
is malware posing as legitimate apps by altering and repackaging the genuine apps. These fake apps can contain malicious code with a
variety of objectives:

Steal advertising revenue

Gather confidential user information

Gain access to usernames and passwords

Recruit for mobile botnets

Some of these threats are targeted at the owners of mobile devices, some at mobile app developers and some at the
businesses at the end of the API. For example, many apps depend on ad revenue as their main income stream and fake apps which
siphon off this revenue can be very damaging. If user credentials are compromised or if the fake apps appear to be ad-infested
or power hungry then this reflects negatively on the mobile app developer. Fake apps may also
access the web services used by the genuine app, such as analytics, usage information or scoring for online games.
This data then becomes polluted and is not useful for real app users or the businesses providing the web services.

App Validation with Approov

Approov is a way to prevent successful repackaging of apps which use web services to provide some
of their capabilities. In a process analogous to user authentication, the Approov SDK integrates with the app and provides
a mechanism to verify the authenticity of the code being used to access an API. By positively identifying traffic from
genuine apps, attempts to use the API from repackaged apps or other unofficial clients can be blocked. Fake apps are
simply unable to access any of the features provided by the app servers and fail to work.

By using Approov to identify legitimate apps, API producers can gain confidence that the software
being used to access their servers does not have malicious intent. Approov implements an additional layer of security for
API servers and is a more robust method of gating access compared to API keys. It also allows for specific versions of
software to be positively identified and granted access to an API. This can be useful in areas with strict regulatory
constraints such as healthcare and banking.